Linux Services Organization

Our goal, introduce Linux services to the enterprise world.
Contact us in contact@linuxsv.org

Linux Services Organization : Linux Logs Linux Server

On Red Hat 6 the syslogd service has been replaced by rsyslog as the service responsible of managing system log messages. The rsyslog service uses the basic syslog protocol and extends its functionality with encryption, filtering and modularity functionalities.

/etc/rsyslog.conf

The rsyslog configuration is on /etc/rsyslog.conf file and has the following structure :

$ cat /etc/rsyslog.conf

#rsyslog v3 config file

#### MODULES ####
###
Thanks to the modular design of rsyslog modules can be loaded here in order to perform a dynamic functionality

$ModLoad imuxsock.so          # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so               # provides kernel logging support (previously done by rklogd)
#$ModLoad immark.so          # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp.so
#$InputTCPServerRun 514

#### GLOBAL DIRECTIVES ####
###
Specify general configuration options for rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

#### RULES ####
###
In this section is configured where are the logs written depending on the log type and his level info

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                                                         /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                          /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                                                                     /var/log/secure

# Log all the mail messages in one place.
mail.*                                                                                             -/var/log/maillog

# Log cron stuff
cron.*                                                                                           /var/log/cron

# Everybody gets emergency messages
*.emerg                                                                                       *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                                                        /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                                                      /var/log/boot.log

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/spppl/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###


For more info : man rsyslog.conf

The rsyslog server

By default the rsyslog service is configured to handle only local logs but with some configurations changes it can be configured to listen for other system logs through the network and act as a rsyslog server.

* On modules section of /etc/rsyslog.conf just uncomment the lines related with rsyslog network service and restart the service :

# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514

$ /etc/init.d/rsyslog restart

Now rsyslog is listening on port 514/TCP (if the firewall allows it) and ready to process other system logs.

* Configuring other system as client for rsyslog server is very easy, just add on the client /etc/rsyslog.conf file the following line and restart the service :

*.*                       @rsyslog_server_ip

client> /etc/init.d/rsyslog restart


Now logs from client are forwarded to the rsyslog server.

Logrotate

Log files can grow a lot and become useless. The logrotate service 'rotates' log files conserving only compressed logs under a specified age, in this way the logs do not grow forever. Logrotate service is executed by crond in regular basis and it has the main configuration file on /etc/logrotate.conf :

$ cat /etc/logrotate.conf

# see "man logrotate" for details
# rotate log files weekly
weekly

# keep 4 weeks worth of backlogs
rotate 4

# RPM packages drop log rotation information into this directory
include /etc/logrotate.d


* This file sets the general configuration parameters for logrotate. It can be seen that files are rotated weekly, keeping only the last 4 rotated files with no compression. For particular file rotation a configuration file can be created on /etc/logrotate.d directory :

$ cat /etc/logrotate.d/syslog

/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
endscript
}


* For the log files specified (secure,maillog,...) the rotation is done weekly keeping the last four rotated files with no compression. Every time a rotation is done the rsyslog service is restarted.

Questions

1.- Rsyslog manages only the local system logs (true/false)

2.- Rsyslogd server can listen on TCP or UDP ports (true/false)

3.- Which line must be used on /etc/rsyslogd in order to redirect any log to a remote rsyslog server on 192.168.10.100 ?

4.- Logrotate service runs as a system daemon logrotated (true/false)

5.- The command 'lastlog' scan system log files and show system users lastlog (true/false)

Labs

1.- Configure rsyslog to redirect any Kernel log to /var/log/kernel.

2.- Configure your virtual server as rsyslog server and use a second virtual machine to redirect all logs to your server .

3.- Create a logrotate configuration file to rotate the file /var/log/kernel when the file reaches 10K of size. Keep a maximum of 3 compressed files.

-- This page is part of Linux Server online tutorial --